[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL checks and slapo-unique



HI!

What really strikes users is the lack of feedback in case a unique
constraint or other constraint fails.

Let's look at error messages of slapo-unique first. I'm experimenting
with a pretty simple patch for returning the effective uniqueness filter
in the diagnosticMessage.

Example output with this patch (line wrapped):

$ ldapadd -f test.ldif
adding new entry "uid=foo,ou=Users,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: non-unique attributes found with
(|(uid=foo)(uidNumber=20000))

Even this minimum information is already somewhat useful. Of course it
would be even more nice to get the list of non-unique attribute values
returned.
(I vaguely remember some idea for a "What Failed?" response control.)

Now formerly one of the arguments against returning more information in
the diagnosticMessage was that this would reveal content information to
an attacker which is obtained by an internal search with a more
privileged authz-ID.

Yes, that's right.

But this problem exists anyway because an attacker can probe
values by adding entries with non-unique attributes and determine
whether an attribute value exists or not by distinguishing the result
code constraintViolation(19) vs. insufficientAccessRights(50).
Even worse this even works in case the attacker does not have read
access anywhere!

This leads to the question whether some sort of access control or limit
check should be applied in unique_search().

What do you think?

Ciao, Michael.